Bug 2211694 - annocheck: false positive in fortify test for i686 binaries.
Summary: annocheck: false positive in fortify test for i686 binaries.
Keywords:
Status: MODIFIED
Alias: None
Product: Fedora
Classification: Fedora
Component: annobin
Version: 39
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Nick Clifton
QA Contact: Fedora Extras Quality Assurance
URL: https://artifacts.dev.testing-farm.io...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-01 14:10 UTC by Jesus Checa
Modified: 2023-08-16 08:10 UTC (History)
5 users (show)

Fixed In Version: annobin-12.12-1.fc39
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jesus Checa 2023-06-01 14:10:32 UTC
As seen in https://artifacts.dev.testing-farm.io/03533289-6f2e-43cc-a169-5d4a793d8ae0/ annocheck reports fortify as failed in i686 binaries with one of these two messages:

-------------- 
Hardened: /usr/bin/valgrind: FAIL: fortify test because no indication that the necessary option was used (and a C compiler was detected) (source: final scan)
----- or -----
Hardened: /usr/bin/valgrind-listener: FAIL: fortify test because -D_FORTIFY_SOURCE=[2|3] was not present on the command line (function: setsockopt) (source: annobin notes)
--------------

The binaries are coming from valgrind-3.21.0-5.fc39 (https://koji.fedoraproject.org/koji/buildinfo?buildID=2207502). However this test passes for the binaries inside valgrind-3.21.0-4.fc39 (https://koji.fedoraproject.org/koji/buildinfo?buildID=2202010), and these were compiled and linked with the exact same flags.

I also ran annocheck directly on the files of both valgrind builds to check that this is not caused by rpminspect: 

--------------
[/var/tmp/rpminspect/local.lbRZ70/root]
$ annocheck --ignore-unknown --skip-lto --profile=rawhide after/i686/usr/bin/valgrind --debug-file=after/i686/usr/lib/debug/usr/bin/valgrind-3.21.0-5.fc39.i386.debug 
annocheck: Version 12.10.
Hardened: using profile: rawhide.
Hardened: valgrind: FAIL: fortify test because no indication that the necessary option was used (and a C compiler was detected) 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
Hardened: valgrind: Overall: FAIL.
[/var/tmp/rpminspect/local.lbRZ70/root]
$ annocheck --ignore-unknown --skip-lto --profile=rawhide before/i686/usr/bin/valgrind --debug-file=before/i686/usr/lib/debug/usr/bin/valgrind-3.21.0-4.fc39.i386.debug 
annocheck: Version 12.10.
Hardened: using profile: rawhide.
Hardened: valgrind: PASS.
--------------

Reproducible: Always

Steps to Reproduce:
1. rpminspect-fedora -v -a i686 -T annocheck valgrind-3.21.0-5.fc39

Actual Results:  
fortify test failed in /usr/bin/valgrind, /usr/bin/valgrind-listener, /usr/bin/vgdb

Expected Results:  
fortify test pass.

Comment 1 Nick Clifton 2023-06-01 14:14:28 UTC
The problem is that the new annobin string notes have been moved into the separate debuginfo file, but annocheck was not examining it...

Comment 2 Nick Clifton 2023-06-02 14:05:43 UTC
Should be fixed in annobin-12.12-1.fc39

Comment 3 Fedora Release Engineering 2023-08-16 08:10:02 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.


Note You need to log in before you can comment on or make changes to this bug.